GreyEnergy

Malware updated 7 months ago (2024-05-05T10:17:36.839Z)
Download STIX
Preview STIX
GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps between GreyEnergy and another malware known as Kapeka, suggesting that they might be related. Similarly, conceptual similarities were found between GreyEnergy and its probable predecessor, BlackEnergy, which was also associated with Sandworm's cyber-attacks. The research suggests that Kapeka could be a successor to GreyEnergy, following a pattern of malware evolution within Sandworm's arsenal. Both GreyEnergy and Kapeka consist of a dropper component with an embedded main backdoor, allowing unauthorized access to infected systems. This speculation is further supported by the discovery of overlaps between Kapeka and the Prestige ransomware attacks, attributed to Sandworm, which targeted Ukraine in 2022. In conclusion, there is strong evidence pointing towards a connection between Kapeka, GreyEnergy, and the Sandworm APT group. While the two malware samples do not share the same source code, their conceptual overlaps and shared usage patterns suggest a lineage of development. This finding underscores the evolving threat posed by Sandworm and the importance of continued vigilance and research in cybersecurity.
Description last updated: 2024-05-05T10:17:06.199Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for GreyEnergy. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
5
BlackEnergy is a possible alias for GreyEnergy. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ukraine
Backdoor
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kapeka Malware is associated with GreyEnergy. Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, iis related to
4
The Prestige Malware is associated with GreyEnergy. Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belieUnspecified
2
Source Document References
Information about the GreyEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more